From Infrastructures to Services in Public Administration
The impact of Cloud
Questo articolo è disponibile anche in italiano
What if the power lines in front of your home looked like the ones in this picture? Would you be worried?
IT infrastructures play a vital role in many of the activities that have become part of our daily lives. From a strategic point of view, their function is equivalent to that of a utility pole and should be considered on par with resources like highways, power plants, aqueducts and production resources in general. As far as the State is concerned, IT infrastructures are quickly becoming the backbone of a system of services that Public Administrations (PAs) use and provide to citizens. They must therefore be reliable, secure and economically sustainable.
Over the years, however, our technological infrastructure has been developed and organized at random. Decisions have been left to the initiative of each administration and undertaken without a shared vision, coordination, or planning. The result is a jungle of thousands of small, often out-of-date Data Centers, still referred to by the old-fashioned name, CED. These are poorly connected amongst themselves, built according to low standards of quality, lacking adequate security measures, and often managed with insufficient resources in terms of both skills and budget.
The Three-year plan for information technology in the Public Administration, 2017–2019 (here referred to as the ‘Three-Year Plan’), has launched an initiative dedicated to IT infrastructures. It lays the foundation for the consolidation of all existing physical structures (i.e. Data Centers). The consolidation of existing Data Centers, through the elimination of those that are obsolete or insufficiently secure/reliable, will permit a reduction in public spending, thanks to the power of economies of scale.
The introduction of the Cloud will enable the attainment of higher quality services as well as increase security at a much lower cost. These changes will greatly increase the reliability of IT infrastructures, thus facilitating the overall upgrade of the country’s technology services.
In the following paragraphs we will illustrate the journey taken so far in the implementation of the Three-Year Plan, focusing our attention on the progress made, with specific reference to the PA’s Cloud. We will pinpoint the problems, the objectives left to be achieved, and outline the road ahead as we work to bring this “revolution” to completion.
We will also try to give an account of the more general impact that this process of impressive change is destined to produce within the Public Administration and, even more generally, in the market of services that are developed for it.
From data processing centers to national strategic center
The Three-Year Plan outlined a process for rationalizing the physical structures of the IT infrastructure (i.e. data processing centers — CED) with the aim of optimizing IT spending and promoting the use of safer services that are better suited to the needs of citizens and businesses.
The various censuses of the PAs’ IT assets that, since 2013, have been carried out by AgID, reveal a strong fragmentation of resources as well as frequent episodes of technological inadequacy. In fact, among the ICT spending interventions made by the Public Central Administrations (PAC), those relating to data processing centers are the most numerous.
At the end of this review process, it will be possible to select, from among the best candidates, the few capable of providing all other PAs with two main categories of service: IaaS (computing, storage & network) and hosting for special projects. These few will be elected National Strategic Centers (NSC). This decision is scheduled to take place in June 2018 and will be based on the analysis of the results of the review and on the findings of further investigations.
During the selection process, candidates will have to undergo a technological and organizational adjustment to ensure that all NSCs share a model that guarantees uniformity in the provision of services. In the event that no existing candidate is willing to perform the role of NSC or that there are none suitable for this purpose, alternative options, such as the creation ex novo of structures and subjects dedicated to this role, can be assessed.
It is worth citing the example of the British Government’s Crown Hosting Data Centres, where the Government’s Cabinet Office launched a similar project for building a single national Data Center infrastructure. The British Government estimates that by 2026, 585 million euros will have been saved by central administrations alone.
Even though this experience mainly involves the Central Public Administrations of the United Kingdom, it provides a valid reference model, as the strategies identified and the results obtained suggest positive exportability on a much wider scale.
The establishment of NSCs, however, is a process that requires strong political directive. On the one hand, it requires the adoption of strategic choices that cannot disregard national and economic security considerations. On the other, it calls for the development of regulatory support to regulate and define the PSN governance structure. This is a choice that undoubtedly belongs to the new Government.
Why the Cloud?
The replacement of the PA’s IT physical infrastructures and the renovation of application solutions must take place through the migration of services and applications to Cloud infrastructure.
The Cloud, or Cloud Computing, is a paradigm that allows you to store and manage data and software on the Internet in a distributed yet usable way.
Cloud computing can be described through three main service categories: software-as-a-service (SaaS, software applications that are accessible via the Internet on a variety of different devices), platform-as-a-service (PaaS, platforms for developing, testing and distributing applications on the Internet) and infrastructure-as-service (IaaS, physical and virtual technology infrastructure capable of providing computing, networking and storage resources both remotely and via API, effectively bypassing the need to buy hardware).
The adoption of the Cloud paradigm is particularly convenient as it allows users to avoid initial investments in physical infrastructures and gives them greater flexibility to experiment with new services or changing the existing ones at low costs¹. The use of IT services has undoubtedly many more advantages than investing in installing and management of an entire IT supply chain, especially within the PA, whose institutional mandate is to provide services to citizens and businesses, not to build and maintain technological infrastructures. Moreover, this solution is more reliable, as it allows for centralized security updates, and more efficient, as it provides scalable price models (paying for resources as services, with prices based on consumption), thereby reducing costs and energy waste.
For a Public Administration, the advantages of using the Cloud are not only appreciated in terms of savings, but also in terms of logistics and administration. Just think of the management complexity involved in maintaining the physical and logical infrastructure of IT services, personnel, updates, the physical security of the premises, fire protection, 24/7 monitoring, etc. Not to mention the important responsibilities connected to such management activities.
We must remember, in particular, the new responsibilities that derive from the recent European legislation on personal data protection². This regulation requires the adoption of appropriate technical and organizational measures, as well as the implementation of specific procedures and controls for all actors involved in the treatment of personal data. These regulations must be followed to avoid incurring heavy penalties.
The PA Cloud
To allow migration to Cloud Infrastructure, the Three-Year Plan has introduced the PA Cloud, a virtual environment within which the PAs will be able to provide their online services to users (citizens, businesses and the PAs themselves), and manage internal use applications, in compliance with minimum efficiency and safety requirements.
The Cloud First Strategy
Because the various PAs deal with different types of data and provide services with differing technical requirements and levels of service reliability, they have different security needs. For this reason, the Three-Year Plan provides that:
- for all those PA services considered strategic assets or part of the Country’s critical infrastructure (Registry, Public Administration payment systems, etc.), the PSNs will provide Iaas / Paas infrastructure services as well as the hosting of legacy services, under direct control of the state
- all the remaining PA services must be migrated to the existing Community Cloud (Cloud SPC Lotto1) and to the commercial Cloud Service Providers (from now on referred to as CSP), which will be qualified according to the AgID Circular №2 of April 9, 2018, or replaced with applications provided in SaaS mode, qualified according to AgID Circular №3 of April 9, 2018.
Individual PAs should be incentivized to progressively adopt a Cloud First strategy. This should, as a first choice, lead to the SaaS solutions that best meet the specific and/or most useful needs of their intended purpose. If these are not able to meet the specific needs, PAs can draw upon the IaaS/PaaS resources of the PA Cloud by following the indications on AgID’s “Guidelines on the acquisition and reuse of software for the PA”.
A marketplace for the Cloud
To implement the “Cloud First” strategy, it is essential that PAs be able to choose the services and Cloud solutions best suited to their specific needs. To meet this need, the Three-Year Plan has specified for the creation of a Marketplace for the Cloud of the PA (here referred to as Marketplace), which is basically a catalog (similar to that organized by the British government in the context of the G-cloud initiative) of AgID-qualified IaaS, PaaS and SaaS services. Administrations can consult this catalog in order to start the acquisition procedure in compliance with the law.
This nascent Marketplace is a platform in which IaaS, PaaS and SaaS solutions are exposed to the PAs and qualified by AgID according to the procedures defined in the circulars, number 2/2018 and 3/2018. On one end, service providers will be able to qualify and “enter” their services into the Marketplace. On the other, the PA will be able to review these services and easily compare them to each other (thanks to the adoption of uniform classification criteria). Finally, PAs can proceed to acquire the services that have been identified as being the most convenient, according to the procedures laid down by the Procurement Code.
Although the introduction of the Marketplace doesn’t change the rules for the procurement of digital services, it makes things a lot easier for PAs, which will be able to simply and transparently choose the services that best meet their needs. AgID and the Digital Transformation Team have already started on the development of the cloud marketplace. We expect it to be completed by the end of the year.
Security and Privacy
Recent regulations on privacy and cyber security also impose on PAs the adoption of appropriate technical and organizational measures to guarantee the safety of management strategies. The new concepts of privacy by design and privacy by default may not be easy to implement, especially if individual PAs manage physical infrastructures and IT services on their own.
The Cloud model is also advantageous in the sense that it reduces the scope of responsibility to the administrative activities carried out by the Public Administration while also introducing operational advantages such as the immediate and centralized application of updates and security patches, both methods for auditing and checking information.
In any case, it’s important to remember that issues relating to guaranteeing the security of one’s own infrastructure require a continuous and constantly updated process of risk assessment and identification of the most appropriate technical solutions necessary to deal with them.
The selection of the best Cloud solutions offered by the market in terms of security, reliability and privacy must be accompanied by a constant and systematic control of security by skilled experts. It’s possible that these experts may be members of the PA’s own staff, in light of the provisions made by the Prime Ministerial Decree of February 17, 2017 regarding the lines of action to be taken on cyber security³.
The current business model, focused on sales of IT products and technical support, will necessarily have to give way to a new model based on the offer of technological services that meet the changing needs of the Public Administration and comply with the new European directives on protection of personal data and cyber-security.
It’s a market in stable expansion, within which economic players, including small and medium enterprises (SMEs), will have to compete to offer increasingly secure, reliable, innovative and affordable technological services.
This is why the private sector assumes a fundamental role in supporting the digital transformation of the country;the most innovative companies should encourage PAs to acquire these new services rather than continue the routine maintenance of expensive licenses and physical infrastructures, which are subject to rapid obsolescence.
The Transformation Process
The Cloud First strategy requires a migration process that includes tools and methodologies that enable and facilitate PAs to carry out the replacement of physical structures and update their applications.
In the Three-Year Plan, AgID and the Digital Transformation Team have defined an evolutionary path that can help the PAs in the transformation process, which provides for a real national cloud enabling program (Cloud Enablement Program — CEP)⁴, for the reorganization of IT processes in Cloud environments as well as a work environment (Cloud Enablement Framework)⁵ that defines the resources, methodologies and tools necessary to implement it.
There are three main elements that characterize this journey:
- reduction of costs and consolidation of infrastructure;
- the consolidation and strengthening of the PA’s IT skills through the creation of Skill Centers (known as Aggregators);
- the creation of an expanded community of IT technicians, experts and managers who can discuss, propose digital service standards and regulations, and share information, solutions and useful skills.
To consolidate and strengthen the PA’s IT skills, the Cloud Enablement Program provides first and foremost for the creation of Skill Centers. The purpose of these centers is to consolidate the know-how and experience related to Cloud services in the PA and, with the support of AgID, to act as aggregators by administering IT services on behalf of other PAs. These centers will also be given the responsibility of continuous improvement, training, change management and optimization of Cloud resources.
The success of the transformation process depends on people. Therefore, in addition to redefining processes, it is also necessary to foster cultural change through the creation of an extended technical community. This community is open to all workers, professionals, experts, enthusiasts and promoters of IT technologies who want to contribute to the maintenance and development of all public digital services with the objective of building, sharing and promoting the new technological skills necessary to the digital transformation of the country.
The technical community should take advantage of the longwave of this cultural movement, known as the DevOps⁶ movement, to convey the key concepts behind the change needed by the public administration. The key ideas of the DevOps philosophy can be summarized in five points.
- No more silos: the extreme isolation of knowledge due to rigid vertical organization and lack of collaboration is often the cause of serious organizational and functional problems within the IT sector.
- Outages are part of everyday life: accepting this reality allows people to avoid hiding their mistakes, and encourages to take action to resolve them and to avoid future similar accidents.
- Changes must be gradual: it’s important for changes in software and infrastructure to be frequent and gradual so that they involve low risk. In this way, people must train themselves to deal with constant change.
- Measuring is fundamental: in order to understand what’s going on, it is of crucial importance to rely on objective measurements. These allow us to verify the changes made and above all, create a shared basis for analyzing a situation.
- Tools are not enough if an organizational culture is lacking: the importance of working tools, especially those related to change management, is a big part of the DevOps movement. However, the key to success lies in the ability to adopt a new way of working: a good organizational culture allows the mitigation of a lack of tools, but the opposite can hardly be said.
Why should it be desirable also — and above all — for PA employees to participate in this enlarged community, making themselves active protagonists and promoters of the ongoing transformation?
The answer to this question may seem obvious: the proposed change requires the development and consolidation of skills that are currently lacking (if not completely absent) within the PA.
The investment of resources to be dedicated to closing the skills gap will require targeted training programs that allow workers to acquire the tools necessary to understand and govern new, mostly automated work processes.
In fact, if, on the one hand, automation drastically reduces the need for manpower used in the execution of repetitive tasks, the demand for human resources required to govern the infrastructure increases through the development and administration of automation processes⁷. The PA will therefore have a growing need for competent personnel capable of filling highly specialized roles and professions, especially from a technological point of view. Technology increases the value and importance of the cognitive aspects of work, thereby enhancing the influence of the human factor as we improve the tools available to us.
This, therefore, is the most complex challenge that the process of digital transformation of the public sector poses to the world of work and the organization of public employment.
 To learn about the advantages of adopting the Cloud paradigm already tested in other jurisdictions, refer to the British Government’s Cloud Strategy, the Australian Government’s Cloud Strategy and the Cloud Strategy of the Government of the United States of America.
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016, on the protection of individuals with regard to the processing of personal data, as well as on the free movement of such data and to repeal Directive 95/46/EC (General Regulation of Data Protection). Known by the acronym GDPR (General Data Protection Regulation) and entered into force on 25.05.2016, applicable to each Member State from 25.05.2018.
 See Regulation (EU) 2016/679 (General Regulation on Data Protection), retro note 2 and Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a common high level of security of networks and information systems in the Union (NIS Directive).
 Cloud Enablement refers to the process that enables an organization to create, operate and maintain its IT infrastructures using cloud technologies. This activity is aimed at reorganizing IT organization processes in public, private or hybrid cloud environments. The Cloud Enablement Program is the set of specific projects that allow PAs to migrate applications to the cloud.
 The working framework defines the resources, strategies, methodologies and tools to implement the PA’s Cloud Enablement Program, that is, the set of projects, specific to each PA, that will lead to the migration of applications to the cloud environment.
 For further information, without pretension of exhaustiveness: L. Fong-Jones, N.R. Murphy; B. Beyer, How SRE relates to DevOps, O’Reilly Media, Inc., 2018; N.Forsgren, J. Humble, G. Kim, Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing Technology Organizations, 2018; N. R. Murphy, J. Petoff, C. Jones, B. Beyer, Site Reliability Engineering, O’Reilly Media, Inc., 2016.
 David Autor, Professor of Economics at MIT, offers us a most interesting lecture that sheds light on how, in the history of work, this pattern has periodically repeated itself, see TEDx Cambridge talk, September 2016.